This forum doesn't seem to support SSL/TLS (HTTPS). I've always acknowledged this and I don't re-use my EMD password on other sites. Not everyone uses unique passwords everywhere though.

Today, the newest Firefox version just came out and it draws attention to password fields on insecure websites with a warning. Specifically, when you attempt to enter a password on an insecure site (such as EMD) it actually drops a warning down below the password field as you type.

I think insecure websites aren't long for this world, certainly those with logins that deal with personal and sometimes private data and conversations, and today's update to Firefox highlights this. I expect the other major browsers to follow suit if haven't already and then everyone who uses this forum will be seeing security warnings every time they visit.

I'm not the most regular user of this forum so I'm not actually familiar with who owns or runs the site, but I hope they have a long-term plan for a migration towards https.

Don't get me wrong, it's not a bad thing that folks have been trained nowadays to avoid entering sensitive information on sites that don't use SSL/TLS (aka HTTPS) connections, but forum software packages like vBulletin have long used password hashing algorithms so that your password isn't actually travelling across the wire "in the clear," even if the site isn't using SSL/TLS.

In essence, when you enter your password into EMD (or any other vBulletin forum), an "encrypted" form of your password (known as an MD5 hash in this case) is created in your browser's memory space using JavaScript. This MD5 hash is what gets sent across the wire to EMD's servers, where it's compared to the same hash stored in the vBulletin user database on EMD.

An MD5 hash is a non-reversible cryptographic algorithm, which means that you can turn a password into an MD5 hash, but you can't turn that MD5 hash back into a password. Your password is also stored in the same way in the vBulletin user database( meaning nobody at EMD or any other vBulletin forum will have any way of knowing your password — assuming they haven't modified vBulletin to deliberately capture passwords). When you log in, the two MD5 hashes are simply compared to each other, not the "real" passwords.

The only catch of course is that this assumes you haven't disabled JavaScript in your browser.

Note that you can more or less confirm this yourself by looking at the page source. This is the password submission form on the EMD home page. Note the references to the "md5hash" and the "vbulletin_md5" javascript:

Of course, this again assumes that you're not logging into a site with a deliberately malicious administrator, since of course the "vbulletin_md5.js" JavaScript could really be doing anything they want it to in this case, however the mere use of an SSL/TLS certificate doesn't actually change anything if you don't trust the site you're using in the first place